b'         U.S. Department of Energy\n         Office of Inspector General\n         Office of Audits and Inspections\n\n\n\n\nEvaluation Report\nThe Federal Energy Regulatory\nCommission\'s Unclassified Cyber\nSecurity Program - 2012\n\n\n\n\nOAS-L-13-01                        November 2012\n\x0c                                 Department of Energy\n                                    Washington, DC 20585\n\n                                       November 7, 2012\n\n\nMEMORANDUM FOR THE EXECUTIVE DIRECTOR, FEDERAL ENERGY\n               REGULATORY COMMISSION\n\n\nFROM:                    Daniel M. Weeber\n                         Assistant Inspector General\n                            for Audits and Administration\n                         Office of Inspector General\n\nSUBJECT:                 INFORMATION: Evaluation Report on "The Federal Energy\n                         Regulatory Commission\'s Unclassified Cyber Security Program - 2012"\n\nBACKGROUND\n\nThe Federal Energy Regulatory Commission (Commission) is an independent agency within the\nDepartment of Energy responsible for, among other things, regulating interstate transmission of\nthe Nation\'s electricity, natural gas and oil. In addition, the Commission licenses and inspects\nprivate, municipal and state hydroelectric projects. To achieve its mission, the Commission relies\non a wide range of information technology (IT) resources to help ensure that rates and terms and\nconditions for the wholesale of electric energy and natural gas are just and reasonable, and\npromote the development of a safe, reliable and efficient energy infrastructure. As highlighted by\nrecent cyber attacks on Federal entities, the information security threat landscape continues to\nchange, and vulnerable IT resources continue to be exploited. To help protect against continuing\ncyber security threats, the Commission estimated that it would expend approximately $5.3 million\nduring Fiscal Year (FY) 2012 to secure its IT assets, a 39 percent increase from FY 2011.\n\nThe Federal Information Security Management Act of 2002 (FISMA) established requirements\nfor Federal agencies regarding the management and oversight of information security risks and\nto ensure that IT resources were adequately protected. As directed by FISMA, the Office of\nInspector General conducted an independent evaluation of the Commission\'s unclassified cyber\nsecurity program to determine whether it adequately protected data and information systems.\nThis report presents the results of our evaluation for FY 2012.\n\nCONCLUSIONS AND OBSERVATIONS\n\nThe Commission had taken action to further improve its cyber security posture and mitigate risks\nassociated with the weaknesses identified during our FY 2011 evaluation. While these actions\nare noteworthy, our current evaluation disclosed that additional opportunities existed to better\nprotect its information systems and data. Specifically, we continued to identify weaknesses\nrelated to the Commission\'s timely remediation of software vulnerabilities.\n\nDue to security considerations, information on specific vulnerabilities has been omitted from this\nreport. However, management was provided detailed information regarding identified\nvulnerabilities and, in certain instances, had initiated corrective action.\n\x0c                                         Positive Aspects\n\nWe identified a number of positive measures taken by the Commission related to enhancing its\nunclassified cyber security program. For instance, we noted that the Commission continued to\nmake improvements in implementing the existing Vulnerability Management Program (VMP).\nSpecifically, we found that the Commission:\n\n   \xe2\x80\xa2   Initiated a project to upgrade the software tool used to manage patch and software\n       deployment. Officials stated that completion of this project is expected in late 2012 and\n       should reduce the need to manually update systems; and,\n\n   \xe2\x80\xa2   Had identified and continued to monitor vulnerabilities through its VMP and Plan of\n       Action and Milestones (POA&M) processes.\n\n                                        Patch Management\n\nAlthough significant progress had been made to secure the Commission\'s network devices,\nservers and workstations, our testing identified additional opportunities for it to ensure that all\ndevices were patched in a timely manner. Specifically, of the 337 workstations tested, 33\ncontained vulnerable productivity applications, and 105 workstations were using software\nutilities that had not been patched. All of the vulnerabilities were considered to be high risk by\nthe vendor and were more than 90 days old, including some affecting workstations that were\nmore than 2 years old. Affected systems included workstations utilized by financial application\nusers and system administrators with privileged levels of access to financial systems and general\nsupport systems. As noted by the National Institute of Standards and Technology, proactively\nidentifying and remediating system vulnerabilities can reduce or eliminate the potential for\nexploitation and involves considerably less time than responding to an exploit. Notably, our\nscans of network devices and servers did not identify any significant vulnerabilities.\n\n                                      Policy Implementation\n\nAs in past years, the problems we identified with the Commission\'s vulnerability management\nprocess were due, in part, to less than fully effective implementation of policies and procedures.\nIn particular, although action had been taken to strengthen the Commission\'s VMP and POA&M\nprocesses, our review of weaknesses in the POA&M disclosed that 35 high- and medium-risk\nvulnerabilities had not been remediated based on the VMP-defined remediation timeframes. For\nexample, the VMP required that high-risk vulnerabilities be remediated within 30 days.\nHowever, our testing found that each of the identified high-risk vulnerabilities had significantly\nexceeded the prescribed timeframe for remediation.\n\nIn addition, Commission officials informed us that they did not follow their existing VMP\npolicies due to budget and resource constraints. As such, the identified high-risk vulnerabilities\nhad not been remediated in a timely manner. Officials stated, and we agree, that successful\ncompletion of the Commission\'s ongoing project to update its patch management tools should\nfurther enhance its VMP.\n\n\n\n                                                 2\n\x0c                                   Risks to Systems and Information\n\nAlthough the Commission continued to make progress in improving its cyber security posture,\nadditional actions are needed to further reduce the risk to the agency\'s information systems and\ndata. In particular, workstations running vulnerable applications and utilities were at a\nheightened risk for malicious attacks that could result in the compromise of those systems and/or\nthe information contained within them. For example, an attacker could exploit the vulnerabilities\nto gain unauthorized access to systems, applications and sensitive data, including financial\nsystems and data, which could disrupt normal business operations or have negative impacts on\nsystem and data reliability.\n\nSUGGESTED ACTION\n\nTo correct the weaknesses identified in this report and improve the effectiveness of the\nCommission\'s unclassified cyber security program, we suggest that the Executive Director,\nFederal Energy Regulatory Commission, take the following action:\n\n      \xe2\x80\xa2    Update and implement existing vulnerability and patch management procedures as\n           needed to ensure that security vulnerabilities are remediated and verified in a timely\n           manner.\n\nWe appreciate the cooperation of the Commission and its ongoing efforts to ensure that its\nunclassified cyber security program is managed efficiently and effectively. Because no\nrecommendations are being made in this report, a formal response is not required.\n\nAttachment\n\ncc:       Deputy Secretary\n          Associate Deputy Secretary\n          Chief of Staff\n\n\n\n\n                                                    3\n\x0c                                                                                   Attachment 1\n\n\n                      OBJECTIVE, SCOPE AND METHODOLOGY\n\nOBJECTIVE\n\nTo determine whether the Federal Energy Regulatory Commission\'s (Commission) unclassified\ncyber security program adequately protected data and information systems.\n\nSCOPE\n\nThe evaluation was performed between May 2012 and November 2012, at the Commission\'s\nHeadquarters in Washington, DC. Specifically, KPMG, LLP (KPMG), the Office of Inspector\nGeneral\'s (OIG) contract auditor, performed an assessment of the Commission\'s unclassified\ncyber security program. The evaluation included a review of general and application controls in\nareas such as security management, access controls, configuration management, segregation of\nduties and contingency planning.\n\nMETHODOLOGY\n\nTo accomplish our objective, we:\n\n   \xe2\x80\xa2   Reviewed Federal laws and regulations related to controls over information technology\n       security such as the Federal Information Security Management Act of 2002, Office of\n       Management and Budget Memoranda and National Institute of Standards and\n       Technology standards and guidance;\n\n   \xe2\x80\xa2   Evaluated the Commission in conjunction with its annual audit of the financial\n       statements, utilizing work performed by KPMG. OIG and KPMG work included analysis\n       and testing of general and application controls for the network and systems and review of\n       the network configuration;\n\n   \xe2\x80\xa2   Reviewed the overall unclassified cyber security program management, including the\n       Commission\'s policies, procedures and practices;\n\n   \xe2\x80\xa2   Held discussions with Commission officials and reviewed relevant documentation; and,\n\n   \xe2\x80\xa2   Reviewed prior reports issued by the OIG and the Government Accountability Office.\n\nWe conducted this evaluation in accordance with generally accepted Government auditing\nstandards. Those standards require that we plan and perform the effort to obtain sufficient,\nappropriate evidence to provide a reasonable basis for our findings and conclusions based on our\naudit objectives. We believe that the evidence obtained provides a reasonable basis for our\nfinding and conclusions based on our audit objective. Accordingly, we assessed significant\ninternal controls and the Commission\'s implementation of the GPRA Modernization Act of 2010\nand determined that it had not established performance measures for its unclassified cyber\nsecurity program. Because our evaluation was limited, it would not have necessarily\n\n                                               4\n\x0c                                                                      Attachment 1 (continued)\n\ndisclosed all internal control deficiencies that may have existed at the time of our evaluation.\nWe relied on computer-processed data to satisfy our objective. In particular, computer assisted\naudit tools were used to perform probes of various networks and drives. We validated the results\nof the scans by confirming the weaknesses disclosed with responsible on-site personnel and\nperformed other procedures to satisfy ourselves as to the reliability and competence of the data\nproduced by the tests.\n\nManagement waived an exit conference.\n\n\n\n\n                                               5\n\x0c                                                                                     Attachment 2\n\n\n                                       PRIOR REPORTS\n\n\xe2\x80\xa2   Evaluation Report on The Federal Energy Regulatory Commission\'s Unclassified Cyber\n    Security Program \xe2\x80\x93 2011, (OAS-M-12-01, November 2011). The Federal Energy\n    Regulatory Commission (Commission) had taken actions to improve its cyber security\n    posture and mitigate risks associated with certain issues identified during our Fiscal Year\n    (FY) 2010 evaluation. While these measures were noteworthy, our evaluation disclosed that\n    additional action was needed to further protect information systems and data. Specifically,\n    we continued to identify weaknesses related to the Commission\'s timely remediation of\n    software vulnerabilities. The problems we identified with the Commission\'s vulnerability\n    management program were due, in part, to less than fully effective implementation of\n    policies and procedures. Although the Commission continued to make progress in improving\n    its cyber security posture, additional actions were needed to further reduce the risk to the\n    agency\'s information systems and data. Management concurred with the report\'s\n    recommendations and commented that it had initiated actions to address weaknesses\n    identified during our evaluation.\n\n\xe2\x80\xa2   Evaluation Report on The Federal Energy Regulatory Commission\'s Unclassified Cyber\n    Security Program \xe2\x80\x93 2010, (OAS-M-11-01, October 2010). The Commission had taken\n    actions to significantly improve its cyber security posture and mitigate risks associated with\n    each of the four weaknesses we identified during our FY 2009 evaluation. However,\n    additional action was needed to improve protection of information systems and data.\n    Specifically, we found that security patches needed to resolve known vulnerabilities\n    discovered during regularly scheduled scans were not applied to all workstations in a timely\n    manner. In addition, even though officials had established an automated mechanism for\n    tracking all known vulnerabilities, only 10 percent of the identified high-risk vulnerabilities\n    were actually being tracked. The problems we identified with the Commission\'s unclassified\n    cyber security program were due, in part, to the less than fully effective implementation of\n    policies and procedures. As such, the risk to the agency\'s information systems and data\n    remained higher than necessary. Management concurred with the report\'s recommendations\n    and commented that it had initiated actions to address weaknesses identified during our\n    evaluation.\n\n\xe2\x80\xa2   Evaluation Report on The Federal Energy Regulatory Commission\'s Unclassified Cyber\n    Security Program \xe2\x80\x93 2009, (DOE/IG-0830, October 2009). The Commission had taken steps\n    to improve its unclassified cyber security program; however, additional actions were\n    necessary to help ensure the networks, systems and data were adequately protected against\n    increasingly sophisticated cyber security attacks. These problems occurred, at least in part,\n    because the Commission had not developed policies and procedures to address all Federal\n    requirements pertaining to information security. In addition, officials had not always\n    effectively implemented existing policy and/or corrected previously observed weaknesses.\n    The Commission\'s Plan of Action and Milestones process for addressing cyber security\n    weaknesses did not include all information necessary to ensure effectiveness. Management\n    concurred with the report\'s recommendations and commented that it had initiated or already\n    completed actions to address weaknesses identified during our evaluation.\n\n                                                 6\n\x0c                                                                    IG Report No. OAS-L-13-01\n\n\n                             CUSTOMER RESPONSE FORM\nThe Office of Inspector General has a continuing interest in improving the usefulness of its\nproducts. We wish to make our reports as responsive as possible to our customers\' requirements,\nand, therefore, ask that you consider sharing your thoughts with us. On the back of this form,\nyou may suggest improvements to enhance the effectiveness of future reports. Please include\nanswers to the following questions if applicable to you:\n\n     1. What additional background information about the selection, scheduling, scope, or\n        procedures of the audit or inspection would have been helpful to the reader in\n        understanding this report?\n\n     2.   What additional information related to findings and recommendations could have been\n          included in the report to assist management in implementing corrective actions?\n\n     3.   What format, stylistic, or organizational changes might have made this report\'s overall\n          message more clear to the reader?\n\n     4.   What additional actions could the Office of Inspector General have taken on the issues\n          discussed in this report that would have been helpful?\n\n     5.   Please include your name and telephone number so that we may contact you should\n          we have any questions about your comments.\n\n\nName                                          Date\n\nTelephone                                     Organization\n\nWhen you have completed this form, you may telefax it to the Office of Inspector General at\n(202) 586-0948, or you may mail it to:\n\n                               Office of Inspector General (IG-1)\n                                     Department of Energy\n                                    Washington, DC 20585\n\n                                  ATTN: Customer Relations\n\n   If you wish to discuss this report or your comments with a staff member of the Office of\n   Inspector General, please contact our office at (202) 253-2162.\n\x0cThis page intentionally left blank.\n\x0cThe Office of Inspector General wants to make the distribution of its reports as customer friendly and cost\n  effective as possible. Therefore, this report will be available electronically through the Internet at the\n                                             following address:\n\n                  U.S. Department of Energy Office of Inspector General Home Page\n                                         http://energy.gov/ig\n\n      Your comments would be appreciated and can be provided on the Customer Response Form.\n\x0c'